Coder Social home page Coder Social logo

sela's Introduction

SELA

SimplE Lossless Audio

Build Status codecov License: MIT

A lossless audio codec which aims to be as simple as possible while still having good enough compression ratios.

Code Quality Metrics

Reliability Rating Maintainability Rating Security Rating Lines of Code

Build Requirements

  • cmake
  • MSVC/GCC/CLANG/INTEL (Any compiler supporting C++11 should work)
  • libao-dev (linux/bsd) / On windows you can skip this dependency

Current status

Task Status
Encoder DONE
Decoder DONE
Reading and Writing WAV files DONE
Reading and Writing SELA files DONE
Multithreaded Encoding & Decoding DONE
Player DONE
Metadata support TODO
Seektable support TODO
Support for 24 bit audio TODO
Optimization TODO

Block Diagrams

Encoder Decoder

To understand the core algorithm, see code in frame namespace, frame namespace utilizes maths which is implemented in lpc and rice namespaces.

References

NOTE: You can get the legacy C code by switching to legacy branch.

Also, check out the Java version of this codec at https://github.com/sahaRatul/sela-java

sela's People

Contributors

bryant1410 avatar saharatul avatar stickerpants avatar web-flow avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

stickerpants phookit wuchuguang prudens project2502 brandonkehl space00 tdautc19841202 gurkanilhan ser0ja bryant1410 nettr w3ss kenyh0926 sts0mrg0 sirdody xa4ypiva skway jaden-j ajunlonglive kang18732 havealex

sela's Issues

Segmentation fault in sample_generator.cpp:15:18

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==11955==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052ebd6 bp 0x7f26af4af2b0 sp 0x7f26af4af130 T80)
==11955==The signal is caused by a READ memory access.
==11955==Hint: address points to the zero page.
    #0 0x52ebd5 in lpc::SampleGenerator::generateSamples(std::vector<int, std::allocator<int> >&) /home/seviezhou/sela/src/lpc/sample_generator.cpp:15:18
    #1 0x52e78d in lpc::SampleGenerator::process() /home/seviezhou/sela/src/lpc/sample_generator.cpp:37:5
    #2 0x541468 in frame::FrameDecoder::process() /home/seviezhou/sela/src/frame/frame_decoder.cpp:34:84
    #3 0x56e3fe in sela::LoopThrough::process(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:30:47
    #4 0x7f26da7beb0f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0b0f)
    #5 0x7f26da1cf6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #6 0x7f26d98e14dc in clone /build/glibc-e6zv40/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/seviezhou/sela/src/lpc/sample_generator.cpp:15:18 in lpc::SampleGenerator::generateSamples(std::vector<int, std::allocator<int> >&)
Thread T80 created by T0 here:
    #0 0x434b8d in pthread_create /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_interceptors.cc:204
    #1 0x7f26da7beda4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0da4)
    #2 0x56c1ea in sela::Decoder::processFrames(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:68:34
    #3 0x56d73b in sela::Decoder::process() /home/seviezhou/sela/src/sela/decoder.cpp:98:5
    #4 0x51dbe8 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:39:37
    #5 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #6 0x7f26d97fa83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

==11955==ABORTING

POC

SEGV-generateSamples-sample_generator-15.zip

Malloc size error when the input wav file does not exist

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d ./notfound /dev/null

AddressSanitizer output

Encoding: ./notfound
==27569==WARNING: AddressSanitizer failed to allocate 0xffffffffffffffff bytes
==27569==AddressSanitizer's allocator is terminating the process instead of returning 0
==27569==If you don't like this behavior set allocator_may_return_null=1
==27569==AddressSanitizer CHECK failed: /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
    #0 0x4e9cef in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x506c65 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4efb16 in __sanitizer::ReportAllocatorCannotReturnNull() /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
    #3 0x4efb53 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
    #4 0x420e77 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_allocator.cc:900
    #5 0x518248 in operator new(unsigned long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #6 0x54c83a in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27
    #7 0x54c83a in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436
    #8 0x54c83a in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:296
    #9 0x54c83a in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/vector.tcc:604
    #10 0x54a809 in std::vector<char, std::allocator<char> >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:827:4
    #11 0x550427 in file::WavFile::readFromFile(std::basic_ifstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/file/wav_file.cpp:44:14
    #12 0x5655b3 in sela::Encoder::readFrames() /home/seviezhou/sela/src/sela/encoder.cpp:37:13
    #13 0x5655b3 in sela::Encoder::process() /home/seviezhou/sela/src/sela/encoder.cpp:97
    #14 0x51d568 in encodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:32:39
    #15 0x51ef56 in main /home/seviezhou/sela/src/main.cpp:75:17
    #16 0x7f6789a2883f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #17 0x41c5e8 in _start (/home/seviezhou/sela/build/sela+0x41c5e8)

Segmentation fault in frame_decoder.cpp:65:35

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==41926==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005422ce bp 0x7fc345bafcb0 sp 0x7fc345baf2c0 T80)
==41926==The signal is caused by a READ memory access.
==41926==Hint: address points to the zero page.
    #0 0x5422cd in frame::FrameDecoder::process() /home/seviezhou/sela/src/frame/frame_decoder.cpp:65:35
    #1 0x56e3fe in sela::LoopThrough::process(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:30:47
    #2 0x7fc370e9bb0f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0b0f)
    #3 0x7fc3708ac6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #4 0x7fc36ffbe4dc in clone /build/glibc-e6zv40/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/seviezhou/sela/src/frame/frame_decoder.cpp:65:35 in frame::FrameDecoder::process()
Thread T80 created by T0 here:
    #0 0x434b8d in pthread_create /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_interceptors.cc:204
    #1 0x7fc370e9bda4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0da4)
    #2 0x56c1ea in sela::Decoder::processFrames(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:68:34
    #3 0x56d73b in sela::Decoder::process() /home/seviezhou/sela/src/sela/decoder.cpp:98:5
    #4 0x51dbe8 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:39:37
    #5 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #6 0x7fc36fed783f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

==41926==ABORTING

POC

SEGV-process-frame_decoder-65.zip

A heap-buffer-overflow in sela_file.cpp:90:53

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

=================================================================
==14920==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005776 at pc 0x000000548e15 bp 0x7fffc4c572d0 sp 0x7fffc4c572c8
READ of size 1 at 0x62a000005776 thread T0
    #0 0x548e14 in file::SelaFile::readFromFile(std::basic_ifstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/file/sela_file.cpp:90:53
    #1 0x56d713 in sela::Decoder::readFrames() /home/seviezhou/sela/src/sela/decoder.cpp:38:14
    #2 0x56d713 in sela::Decoder::process() /home/seviezhou/sela/src/sela/decoder.cpp:97
    #3 0x51dbe8 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:39:37
    #4 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #5 0x7f7cb33b783f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x41c5e8 in _start (/home/seviezhou/sela/build/sela+0x41c5e8)

0x62a000005776 is located 3 bytes to the right of 21875-byte region [0x62a000000200,0x62a000005773)
allocated by thread T0 here:
    #0 0x518278 in operator new(unsigned long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #1 0x54c83a in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27
    #2 0x54c83a in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436
    #3 0x54c83a in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:296
    #4 0x54c83a in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/vector.tcc:604

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/sela/src/file/sela_file.cpp:90:53 in file::SelaFile::readFromFile(std::basic_ifstream<char, std::char_traits<char> >&)
Shadow bytes around the buggy address:
  0x0c547fff8a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff8ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fa
  0x0c547fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14920==ABORTING

POC

heap-overflow-readFromFile-sela_file-90.zip

various BOF in sela decoder

Hey Ratul,

when i was fuzzing the SELA decoder, i found many unique crash that i report them in this and maybe other issues:

id_000000,sig_06,src_000004,op_flip1,pos_10.zip

.

SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000000,sig:06,src:000004,op:flip1,pos:10
Output : out.wav

Stream Information
------------------
Sample rate : 22050 Hz
Bits per sample : 16
Channels : 129

Metadata
--------
No metadata found
=================================================================
==2752==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd8218ef20 at pc 0x00000049e5ac bp 0x7ffd8218a410 sp 0x7ffd82189bc0
WRITE of size 9304 at 0x7ffd8218ef20 thread T0
    #0 0x49e5ab in fread (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x49e5ab)
    #1 0x516d16 in main /home/xer0days/Service_test/sela-latest/core/decode.c:146:12
    #2 0x7f49379e582f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a188 in _start (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x41a188)

Address 0x7ffd8218ef20 is located in stack of thread T0 at offset 18944 in frame
    #0 0x515daf in main /home/xer0days/Service_test/sela-latest/core/decode.c:13

  This frame has 28 object(s):
    [32, 36) 'magic_number' (line 30)
    [48, 49) 'channels' (line 42)
    [64, 65) 'curr_channel' (line 42)
    [80, 81) 'rice_param_ref' (line 42)
    [96, 97) 'rice_param_residue' (line 42)
    [112, 113) 'opt_lpc_order' (line 42)
    [128, 130) 'bps' (line 43)
    [144, 146) 'num_ref_elements' (line 45)
    [160, 162) 'num_residue_elements' (line 45)
    [176, 178) 'samples_per_channel' (line 45)
    [192, 196) 'sample_rate' (line 46)
    [208, 212) 'temp' (line 48)
    [224, 228) 'estimated_frames' (line 49)
    [240, 640) 's_ref' (line 56)
    [704, 8896) 's_residues' (line 57)
    [9152, 17344) 'rcv_samples' (line 58)
    [17600, 18408) 'lpc' (line 59)
    [18544, 18944) 'compressed_ref' (line 60)
    [19008, 27200) 'compressed_residues' (line 61) <== Memory access at offset 18944 partially underflows this variable
    [27456, 27856) 'decomp_ref' (line 62) <== Memory access at offset 18944 partially underflows this variable
    [27920, 36112) 'decomp_residues' (line 63) <== Memory access at offset 18944 partially underflows this variable
    [36368, 37168) 'ref' (line 64)
    [37296, 117296) 'lpc_mat' (line 65)
    [117552, 117572) 'read_state' (line 68)
    [117616, 117649) 'keys_inst' (line 69)
    [117696, 117720) 'ape_read_list' (line 70)
    [117760, 117792) 'read_header' (line 71)
    [117824, 117868) 'hdr' (line 124)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x49e5ab) in fread
Shadow bytes around the buggy address:
  0x100030429d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429da0: 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100030429db0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100030429de0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x100030429df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2752==ABORTING

the compressed_ref variable is defined like:

uint32_t compressed_ref[MAX_LPC_ORDER];

but there is something wrong :

<PEDA> where
#0  main (argc=0x3, argv=0x7fffffffdf48) at core/decode.c:146
#1  0x00007ffff7725830 in __libc_start_main (main=0x400ae0 <main>, argc=0x3, argv=0x7fffffffdf48, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf38) at ../csu/libc-start.c:291
#2  0x0000000000400a09 in _start ()
<PEDA> p sizeof(uint32_t)
$11 = 0x4
<PEDA> p/d num_ref_elements
$12 = 43605
<PEDA> p i
$13 = 0x1

A heap-buffer-overflow in wav_file.cpp:262:32

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

=================================================================
==42335==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625001498100 at pc 0x000000445201 bp 0x7ffc5546e9f0 sp 0x7ffc5546e1a0
READ of size 18 at 0x625001498100 thread T0
    #0 0x445200 in __interceptor_memcpy.part.37 /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:779
    #1 0x7fe75bdf4387 in std::basic_streambuf<char, std::char_traits<char> >::xsputn(char const*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x13d387)
    #2 0x7fe75bde3262 in std::ostream::write(char const*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x12c262)
    #3 0x557736 in file::WavFile::writeToFile(std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/file/wav_file.cpp:262:32
    #4 0x51dc13 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:40:13
    #5 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #6 0x7fe75adc383f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41c5e8 in _start (/home/seviezhou/sela/build/sela+0x41c5e8)

0x625001498100 is located 0 bytes to the right of 8192-byte region [0x625001496100,0x625001498100)
allocated by thread T0 here:
    #0 0x518278 in operator new(unsigned long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #1 0x525759 in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27
    #2 0x525759 in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436
    #3 0x525759 in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:296
    #4 0x525759 in std::_Vector_base<int, std::allocator<int> >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:311
    #5 0x525759 in std::_Vector_base<int, std::allocator<int> >::_Vector_base(unsigned long, std::allocator<int> const&) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:260
    #6 0x5576d6 in file::WavFile::writeToFile(std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/file/wav_file.cpp:261:51
    #7 0x51dc13 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:40:13
    #8 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #9 0x7fe75adc383f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:779 in __interceptor_memcpy.part.37
Shadow bytes around the buggy address:
  0x0c4a8028afd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8028afe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8028aff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8028b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8028b010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a8028b020:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8028b030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8028b040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8028b050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8028b060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8028b070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==42335==ABORTING

POC

heap-overflow-writeToFile-wav_file-262.zip

Segmentation fault in rice_decoder.cpp:58:5

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==49008==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000053a89f bp 0x7f1e280af1d0 sp 0x7f1e280af0c0 T80)
==49008==The signal is caused by a READ memory access.
==49008==Hint: address points to the zero page.
    #0 0x53a89e in rice::RiceDecoder::generateDecodedUnsignedInts() /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h
    #1 0x53a05b in rice::RiceDecoder::process() /home/seviezhou/sela/src/rice/rice_decoder.cpp:58:5
    #2 0x541287 in frame::FrameDecoder::process() /home/seviezhou/sela/src/frame/frame_decoder.cpp:28:93
    #3 0x56e3fe in sela::LoopThrough::process(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:30:47
    #4 0x7f1e5342fb0f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0b0f)
    #5 0x7f1e52e406b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #6 0x7f1e525524dc in clone /build/glibc-e6zv40/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h in rice::RiceDecoder::generateDecodedUnsignedInts()
Thread T80 created by T0 here:
    #0 0x434b8d in pthread_create /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_interceptors.cc:204
    #1 0x7f1e5342fda4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0da4)
    #2 0x56c1ea in sela::Decoder::processFrames(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:68:34
    #3 0x56d73b in sela::Decoder::process() /home/seviezhou/sela/src/sela/decoder.cpp:98:5
    #4 0x51dbe8 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:39:37
    #5 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #6 0x7f1e5246b83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

==49008==ABORTING

POC

SEGV-process-rice_decoder-58.zip

Program received signal SIGFPE, Arithmetic exception.

The program will get divide-by-zero error when input this Monoaural wav file.The variable "seconds" in sela/core/encode.c:333:58 become zero.

Here is the output and ASAN information:

SimplE Lossless Audio Encoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : ./IN/1964.wav
Output : ./IN_1/1948.sela
WAV file detected

Stream Information
------------------
Sampling Rate : 48000 Hz
Bits per sample : 16
Channels : 1 (Monoaural)

Metadata
--------
No metadata found.
[                         ]

Statistics
----------
1 frames written (0min 0sec)
==19231==AddressSanitizer: WARNING: unexpected format specifier in printf interceptor: %
 (reported once per process)
Compression Ratio : 75.00%
AddressSanitizer:DEADLYSIGNAL
=================================================================
==19231==ERROR: AddressSanitizer: FPE on unknown address 0x00000051a06d (pc 0x00000051a06d bp 0x7fff9705b4c0 sp 0x7fff97039160 T0)
    #0 0x51a06c in main /home/fouzhe/my_fuzz/sela/core/encode.c:333:58
    #1 0x7effd35d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #2 0x41a148 in _start (/home/fouzhe/my_fuzz/sela/selaenc+0x41a148)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/fouzhe/my_fuzz/sela/core/encode.c:333:58 in main
==19231==ABORTING

Here is gdb information, the variable "seconds" becomes 0 when inputting this file.

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from selaenc...done.
(gdb) b 333
Breakpoint 1 at 0x51a040: file core/encode.c, line 333.
(gdb) run 1964.wav test.sela
Starting program: /home/fouzhe/my_fuzz/sela/selaenc 1964.wav test.sela
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
SimplE Lossless Audio Encoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : 1964.wav
Output : test.sela
WAV file detected

Stream Information
------------------
Sampling Rate : 48000 Hz
Bits per sample : 16
Channels : 1 (Monoaural)

Metadata
--------
No metadata found.
[                         ]

Statistics
----------
1 frames written (0min 0sec)
==23154==AddressSanitizer: WARNING: unexpected format specifier in printf interceptor: %
 (reported once per process)
Compression Ratio : 75.00%

Breakpoint 1, main (argc=-18431, argv=<optimized out>) at core/encode.c:333
333		fprintf(stderr,"Bitrate : %d kbps\n",(out_file_size * 8)/(seconds * 1000));
(gdb) p seconds
$1 = 0
(gdb) n

Program received signal SIGFPE, Arithmetic exception.
0x000000000051a06d in main (argc=-18431, argv=<optimized out>) at core/encode.c:333
333		fprintf(stderr,"Bitrate : %d kbps\n",(out_file_size * 8)/(seconds * 1000));
(gdb) n
__asan::AsanOnDeadlySignal (signo=8, siginfo=0x7ffff7fe8bf0, context=0x7ffff7fe8ac0) at /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_posix.cc:35
35	void AsanOnDeadlySignal(int signo, void *siginfo, void *context) {
(gdb) n
36	  StartReportDeadlySignal();
(gdb) n
AddressSanitizer:DEADLYSIGNAL
37	  SignalContext sig(siginfo, context);
(gdb) n
38	  ReportDeadlySignal(sig);
(gdb) n

An improper locking bug(e.g., deadlock) on the lock &mutex

Hi, developers, thank you for your checking. It seems the lock mutex is not released correctly when num_bytes>0 in the function ao_plugin_play? Should it be a bug or on purpose?

int ao_plugin_play(ao_device *device, const char *output_samples,
		uint_32 num_bytes)
{
  pthread_mutex_lock(&mutex);
   ...;
    if(num_bytes>0){
      long wait = internal->buffersize*1000/(device->output_channels*device->bytewidth*device->rate);
      pthread_mutex_unlock(&mutex);
      wait = (wait/8)*1000;
      if(wait<1)wait=1;
      if(wait>500000)wait=500000;
      usleep(wait);
      pthread_mutex_lock(&mutex);
    }else{
      pthread_mutex_unlock(&mutex);
      break;
    }
  }
  return 1;
}

sela/external/libao/src/plugins/arts/ao_arts.c

Lines 313 to 324 in ca09cbd

if(num_bytes>0){
long wait = internal->buffersize*1000/(device->output_channels*device->bytewidth*device->rate);
pthread_mutex_unlock(&mutex);
wait = (wait/8)*1000;
if(wait<1)wait=1;
if(wait>500000)wait=500000;
usleep(wait);
pthread_mutex_lock(&mutex);
}else{
pthread_mutex_unlock(&mutex);
break;
}

Best,

Floating point exception in sela,when wav simple_rate is zero

I found another crash. it is also Floating point exception.then I use gdb. it is due to
In addition to zero.because in wavutils.c:check_wav_file():51. but when input wav file'rate is zero,then encode.c:324.it will created Floating point exception.

wavutils.c:check_wav_file():

...
28         fseek(fp,0,SEEK_SET);
 29 
 30         read = fread(riffmarker,sizeof(char),4,fp);
 31         if(strncmp(riffmarker,"RIFF",4))
 32                 return ERR_NO_RIFF_MARKER;
 33 
 34         read = fread(&file_size,sizeof(int32_t),1,fp);
 35 
 36         read = fread(wavemarker,sizeof(char),4,fp);
 37         if(strncmp(wavemarker,"WAVE",4))
 38                 return ERR_NO_WAVE_MARKER;
 39 
 40         //FORMAT chunk
 41         read = fread(formatmarker,sizeof(char),4,fp);
 42         if(strncmp(formatmarker,"fmt",3))
 43                 return ERR_NO_FMT_MARKER;
 44 
 45         read = fread(&fmt_length,sizeof(int32_t),1,fp);
 46         read = fread(&fmt_type,sizeof(int16_t),1,fp);
 47         if(fmt_type != 1)
 48                 return ERR_NOT_A_PCM_FILE;
 49 
 50         read = fread(channels,sizeof(int16_t),1,fp);
 51         read = fread(sample_rate,sizeof(int32_t),1,fp); //read rate from wav
 52         read = fread(&bytes_per_sec,sizeof(int32_t),1,fp);
 53         read = fread(&bytes_by_capture,sizeof(int16_t),1,fp);
 54         read = fread(bits_per_sample,sizeof(int16_t),1,fp);
...

encode.c

...
315                         fprintf(stderr,"=");
316                 for(i = 0; i < (25 - (percent >> 2)); i++)
317                         fprintf(stderr," ");
318                 fprintf(stderr,"]");
319         }
320 
321         fprintf(stderr,"\n");
322         fprintf(stderr,"\nStatistics\n");
323         fprintf(stderr,"----------\n");
324         seconds = ((uint32_t)(frame_sync_count * BLOCK_SIZE)/(sample_rate));//when sample_rate is zero it will crash
325         fprintf(stderr,"%d frames written (%dmin %dsec)\n",
326                 frame_sync_count,(seconds/60),(seconds%60));
327         fseek(infile,0,SEEK_END);
328         fseek(outfile,0,SEEK_END);
329 
330         in_file_size = ftell(infile);
331         out_file_size = ftell(outfile);
332         fprintf(stderr,"Compression Ratio : %0.2f%\n",100 * (float)((float)out_file_size/(float)in_file_size));
333 //      fprintf(stderr,"Bitrate : %d kbps\n",(out_file_size * 8)/(seconds * 1000+1));
334 
335         //Cleanup
336         free(buffer);
337         destroy_wav_tags(&tags);
338         free_apev2_list(&state,&ape_list);
...

A heap-buffer-overflow in rice_decoder.cpp:39

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

=================================================================
==28346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001058 at pc 0x00000053ad8d bp 0x7f61d7aaf0b0 sp 0x7f61d7aaf0a8
READ of size 8 at 0x602000001058 thread T80
    #0 0x53ad8c in std::_Bit_reference::operator bool() const /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:83:17
    #1 0x53ad8c in rice::RiceDecoder::generateDecodedUnsignedInts() /home/seviezhou/sela/src/rice/rice_decoder.cpp:39
    #2 0x53a05b in rice::RiceDecoder::process() /home/seviezhou/sela/src/rice/rice_decoder.cpp:58:5
    #3 0x541287 in frame::FrameDecoder::process() /home/seviezhou/sela/src/frame/frame_decoder.cpp:28:93
    #4 0x56e3fe in sela::LoopThrough::process(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:30:47
    #5 0x7f6202d78b0f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0b0f)
    #6 0x7f62027896b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #7 0x7f6201e9b4dc in clone /build/glibc-e6zv40/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x602000001058 is located 0 bytes to the right of 8-byte region [0x602000001050,0x602000001058)
allocated by thread T80 here:
    #0 0x518278 in operator new(unsigned long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #1 0x534dcd in __gnu_cxx::new_allocator<unsigned long>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27
    #2 0x534dcd in std::allocator_traits<std::allocator<unsigned long> >::allocate(std::allocator<unsigned long>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436
    #3 0x534dcd in std::_Bvector_base<std::allocator<bool> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:530
    #4 0x534dcd in std::vector<bool, std::allocator<bool> >::_M_reallocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/vector.tcc:764
    #5 0x534560 in std::vector<bool, std::allocator<bool> >::reserve(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:921:4

Thread T80 created by T0 here:
    #0 0x434b8d in pthread_create /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_interceptors.cc:204
    #1 0x7f6202d78da4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0da4)
    #2 0x56c1ea in sela::Decoder::processFrames(std::vector<data::WavFrame, std::allocator<data::WavFrame> >&) /home/seviezhou/sela/src/sela/decoder.cpp:68:34
    #3 0x56d73b in sela::Decoder::process() /home/seviezhou/sela/src/sela/decoder.cpp:98:5
    #4 0x51dbe8 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:39:37
    #5 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #6 0x7f6201db483f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:83:17 in std::_Bit_reference::operator bool() const
Shadow bytes around the buggy address:
  0x0c047fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8200: fa fa 04 fa fa fa 04 fa fa fa 00[fa]fa fa 00 fa
  0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28346==ABORTING

POC

heap-overflow-generateDecodedUnsignedInts-rice_decoder-39.zip

Floating point exception in sela

Hello,the second crash in sela is Floating point exception.My company has proxy.so I can't provide my crash file.So you can run AFL with sela.the two crash will become in soon.
there is second crash information:

SimplE Lossless Audio Encoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : /home/lx/5_29/SELA/AFL/sela-latest/fuzz/fuzzing_output/crashes/id:000000,sig:08,src:000000,op:flip1,pos:22
Output : output.sela
WAV file detected

Stream Information
------------------
Sampling Rate : 44100 Hz
Bits per sample : 16
Channels : 0 

Metadata
--------
No metadata found.
Floating point exception

when use gdb in sela,the following information is :

Program received signal SIGFPE, Arithmetic exception.
0x00000000004024fb in main (argc=4, argv=0x7fffffffe298) at core/encode.c:218

A heap-buffer-overflow in sela_file.cpp:78:67

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

=================================================================
==36806==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005775 at pc 0x000000548d25 bp 0x7ffef4e9b430 sp 0x7ffef4e9b428
READ of size 1 at 0x62a000005775 thread T0
    #0 0x548d24 in file::SelaFile::readFromFile(std::basic_ifstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/file/sela_file.cpp:78:67
    #1 0x56d713 in sela::Decoder::readFrames() /home/seviezhou/sela/src/sela/decoder.cpp:38:14
    #2 0x56d713 in sela::Decoder::process() /home/seviezhou/sela/src/sela/decoder.cpp:97
    #3 0x51dbe8 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:39:37
    #4 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #5 0x7fa6b3dd783f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x41c5e8 in _start (/home/seviezhou/sela/build/sela+0x41c5e8)

0x62a000005775 is located 2 bytes to the right of 21875-byte region [0x62a000000200,0x62a000005773)
allocated by thread T0 here:
    #0 0x518278 in operator new(unsigned long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #1 0x54c83a in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27
    #2 0x54c83a in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436
    #3 0x54c83a in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:296
    #4 0x54c83a in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/vector.tcc:604

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/sela/src/file/sela_file.cpp:78:67 in file::SelaFile::readFromFile(std::basic_ifstream<char, std::char_traits<char> >&)
Shadow bytes around the buggy address:
  0x0c547fff8a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff8ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fa
  0x0c547fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36806==ABORTING

POC

heap-overflow-readFromFile-sela_file-78.zip

<malloc.h> vs. <stdlib.h>

Just of of curiosity, why are you using non-standard <malloc.h> header instead of standard <stdlib.h>?
Yes, I know that <malloc.h> is present on many systems, but not on all of them.
For instance, that's the single reason why encoder and decoder are failing to build on OS X. A simple find-and-replace solved the problem though.

A heap-buffer-overflow in wav_file.cpp:160:40

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -e @@ /dev/null

AddressSanitizer output

=================================================================
==65004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000008d0 at pc 0x00000055d64b bp 0x7ffc37ec4b00 sp 0x7ffc37ec4af8
READ of size 1 at 0x6160000008d0 thread T0
    #0 0x55d64a in signed char* std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m<char*, signed char*>(char*, char*, signed char*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:324:20
    #1 0x55d64a in signed char* std::__copy_move_a<false, char*, signed char*>(char*, char*, signed char*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:385
    #2 0x55d64a in signed char* std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, signed char*>(__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, __gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, signed char*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:422
    #3 0x55d42b in void std::vector<signed char, std::allocator<signed char> >::_M_range_initialize<__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > > >(__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, __gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:454:15
    #4 0x557b9b in void std::vector<signed char, std::allocator<signed char> >::_M_initialize_dispatch<__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > > >(__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, __gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, std::__false_type) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:1437:4
    #5 0x557b9b in std::vector<signed char, std::allocator<signed char> >::vector<__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, void>(__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, __gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, std::allocator<signed char> const&) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:546
    #6 0x55156b in file::WavFile::readFromFile(std::basic_ifstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/file/wav_file.cpp:160:40
    #7 0x5655b3 in sela::Encoder::readFrames() /home/seviezhou/sela/src/sela/encoder.cpp:37:13
    #8 0x5655b3 in sela::Encoder::process() /home/seviezhou/sela/src/sela/encoder.cpp:97
    #9 0x51d568 in encodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:32:39
    #10 0x51ef56 in main /home/seviezhou/sela/src/main.cpp:75:17
    #11 0x7f16fe66183f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x41c5e8 in _start (/home/seviezhou/sela/build/sela+0x41c5e8)

0x6160000008d0 is located 0 bytes to the right of 592-byte region [0x616000000680,0x6160000008d0)
allocated by thread T0 here:
    #0 0x518278 in operator new(unsigned long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #1 0x54c83a in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27
    #2 0x54c83a in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436
    #3 0x54c83a in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:296
    #4 0x54c83a in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/vector.tcc:604

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:324:20 in signed char* std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m<char*, signed char*>(char*, char*, signed char*)
Shadow bytes around the buggy address:
  0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff8110: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  0x0c2c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==65004==ABORTING

POC

heap-overflow-readFromFile-wav_file-160.zip

Segmentation fault in wav_file.cpp:13:46

System info

Ubuntu x86_64, clang 6.0, sela (latest master ca09cb)

Configure

cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Command line

./build/sela -d @@ /dev/null

AddressSanitizer output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==74467==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000054f6ca bp 0x7ffd122617f0 sp 0x7ffd122616a0 T0)
==74467==The signal is caused by a READ memory access.
==74467==Hint: address points to the zero page.
    #0 0x54f6c9 in file::WavFile::WavFile(unsigned int, unsigned short, unsigned short, std::vector<data::WavFrame, std::allocator<data::WavFrame> >&&) /home/seviezhou/sela/src/file/wav_file.cpp:13:46
    #1 0x56d7da in sela::Decoder::process() /home/seviezhou/sela/src/sela/decoder.cpp:99:12
    #2 0x51dbe8 in decodeFile(std::basic_ifstream<char, std::char_traits<char> >&, std::basic_ofstream<char, std::char_traits<char> >&) /home/seviezhou/sela/src/main.cpp:39:37
    #3 0x51f553 in main /home/seviezhou/sela/src/main.cpp:85:17
    #4 0x7fb55432f83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41c5e8 in _start (/home/seviezhou/sela/build/sela+0x41c5e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/seviezhou/sela/src/file/wav_file.cpp:13:46 in file::WavFile::WavFile(unsigned int, unsigned short, unsigned short, std::vector<data::WavFrame, std::allocator<data::WavFrame> >&&)
==74467==ABORTING

POC

SEGV-WavFile-wav_file-13.zip

AccessViolation in SELA decoder

The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation. here is the sanitizer output:

SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000004,sig:06,src:000004,op:flip1,pos:2138
Output : out.wav

Stream Information
------------------
Sample rate : 22050 Hz
Bits per sample : 16
Channels : 1(Monoaural)

Metadata
--------
No metadata found
[                         ]AddressSanitizer:DEADLYSIGNAL
=================================================================
==4257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000526190 bp 0x7ffddc5c1060 sp 0x7ffddc5a4240 T0)
==4257==The signal is caused by a READ memory access.
==4257==Hint: address points to the zero page.
    #0 0x52618f in dqtz_ref_cof /home/xer0days/Service_test/sela-latest/core/lpc.c:279:13
    #1 0x516ea3 in main /home/xer0days/Service_test/sela-latest/core/decode.c:163:5
    #2 0x7f764bce182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a188 in _start (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x41a188)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/xer0days/Service_test/sela-latest/core/lpc.c:279:13 in dqtz_ref_cof
==4257==ABORTING

and some information in gdb :

<PEDA> p q_ref[i]+64
$22 = 0x80600d41
<PEDA> x/x *0x80600d41
Cannot access memory at address 0x80600d41

id_000004,sig_06,src_000004,op_flip1,pos_2138.zip
id_000005,sig_06,src_000004,op_flip1,pos_4124.zip
id_000007,sig_06,src_000004,op_flip1,pos_9470.zip

Conan package

Hello,
Do you know about Conan?
Conan is modern dependency manager for C++. And will be great if your library will be available via package manager for other developers.

Here you can find example, how you can create package for the library.

If you have any questions, just ask :-)

when Channels is negative number,sela crashed

Hello,when I use AFL to fuzz test sela,sela created two unique crashes. the first one is in main core/encode.c:210.it is due to channel is negative number, In malloc(size),size is big number.there is first crash information:

SimplE Lossless Audio Encoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : /home/lx/5_29/SELA/AFL/sela-latest/fuzz/fuzzing_output/crashes/id:000001,sig:06,src:000000,op:flip1,pos:23
Output : output.sela
WAV file detected

Stream Information
------------------
Sampling Rate : 44100 Hz
Bits per sample : 16
Channels : -32767 

Metadata
--------
No metadata found.
==53275==WARNING: AddressSanitizer failed to allocate 0xfffffffff8001000 bytes
==53275==AddressSanitizer's allocator is terminating the process instead of returning 0
==53275==If you don't like this behavior set allocator_may_return_null=1
==53275==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f00f3440d93 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x59d93)
    #1 0x7f00f3444cd3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5dcd3)
    #2 0x7f00f3400831 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x19831)
    #3 0x7f00f3443531 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5c531)
    #4 0x7f00f343b82e in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5482e)
    #5 0x4024ac in main core/encode.c:210
    #6 0x7f00f2d39f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #7 0x401248 (/home/lx/5_29/SELA/ASAN/sela-latest/selaenc+0x401248)

sela:encode.c:

201                 //Write metadata info to output
202                 written = fwrite(&metadata_sync,sizeof(int32_t),1,outfile);//Metadata syncwd
203                 metadata_size = header.tag_size + 32;
204                 fwrite(&metadata_size,sizeof(int32_t),1,outfile);
205                 write_apev2_tags(&state,outfile,ftell(outfile),&header,&ape_list);
206         }
207 
208         //Define read size
209         read_size = channels * BLOCK_SIZE;
210         int16_t *buffer = (int16_t *)malloc(sizeof(int16_t) * read_size); //the reason of crash.
211 
212         //Main loop
213         while(feof(infile) == 0)
214         {
215                 //Read Samples from input
216                 size_t read = fread(buffer,sizeof(int16_t),read_size,infile);
217 
218                 samples_per_channel = read/channels;
219 
220                 //Write frame syncword
221                 written = fwrite(&frame_sync,sizeof(int32_t),1,outfile);
222 
223                 frame_sync_count++;
224 
225                 for(i = 0; i < channels; i++)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.